3 FERPA FERPA prohibits the unauthorized disclosure of personally identifiable information (PII) contained in students education records. When we think of education records we tend to think of real records the kind you would find collecting dust in a file cabinet. These days a student s PII is often contained in digital or electronic media. FERPA also is concerned with unauthorized disclosure of digital or electronic PII. Cuddy & McCarthy, LLP 3

4 WHAT IS PII? Specific identifiers such as name and address of a student, OR Other information that, alone or in combination would make it possible for someone in the school community to identify the student with reasonable certainty. Owasso Indep. Sch. Dist. v. Falvo, 534 U.S. 426 (2002). Cuddy & McCarthy, LLP 4

5 PII AS OTHER INFORMATION It might be difficult, if not impossible, for school districts to determine whether a particular document contains PII or could contain PII if it were to be used in combination with other information. Therefore, school districts may want to consider adopting policies that presumes all data generated by students, teachers, and staff related to students constitutes an education record. This seems especially wise when school districts are directing third-party technology providers with both information and instructions regarding how they should handle, use, and share the information. Cuddy & McCarthy, LLP 5

6 COPPA COPPA requires website operators to protect children s privacy and security online, including restrictions on marketing. COPPA the Federal Trade Commission (FTC) Rule enforcing it apply to: Operators of commercial websites and online services (including mobile apps) directed to children under 13 that collect, use, or disclose personal information from children, and operators of general audience websites or inline services with actual knowledge that they are collecting, using, or disclosing personal information from children under 13. Fed Trade Comm n Bureau of Consumer Prot., Complying with COPPA: Frequently Asked Questions available at: https://www.ftc.gov/tips-advice/businesscenter/guidance/complying-coppa-frequently-askedquestions Cuddy & McCarthy, LLP 6

7 PPRA What does PPRA do? PPRA is triggered whenever school districts use Internet - based educational services. PPRA provides that: A student may not be required to submit to a survey, analysis or evaluation that reveals information about the student s or family s political affiliations or beliefs; mental or psychological problems; sexual behavior; and many other topics, without the prior consent of the parent(s). School districts must develop policies in consultation with parents that address everything from the parent s right to inspection instructional materials to the right of the parent to inspect any instrument used in collection of personal information before the instrument is administered to the student. 20 U.S.C. 1232h(c)(1). Cuddy & McCarthy, LLP 7

8 CIPA The Children's Internet Protection Act (CIPA) was enacted by Congress in 2000 to address concerns about children's access to obscene or harmful content over the Internet. CIPA imposes certain requirements on schools or libraries that receive discounts for Internet access or internal connections through the E-rate program a program that makes certain communications services and products more affordable for eligible schools and libraries. In early 2001, the FCC issued rules implementing CIPA and provided updates to those rules in Cuddy & McCarthy, LLP 8

9 CIPA CONTINUED Schools and libraries subject to CIPA may not receive the discounts offered by the E-rate program unless they certify that they have an Internet safety policy that includes technology protection measures. The protection measures must block or filter Internet access to pictures that are: (a) obscene; (b) child pornography; or (c) harmful to minors (for computers that are accessed by minors). Before adopting this Internet safety policy, schools and libraries must provide reasonable notice and hold at least one public hearing or meeting to address the proposal. Cuddy & McCarthy, LLP 9

10 CIPA AND PROTECTING CHILDREN IN THE 21 ST CENTURY ACT Schools subject to CIPA have two additional certification requirements: 1) their Internet safety policies must include monitoring the online activities of minors; and 2) as required by the Protecting Children in the 21st Century Act, they must provide for educating minors about appropriate online behavior, including interacting with other individuals on social networking websites and in chat rooms, and cyberbullying awareness and response. Protecting Children in the 21st Century Act requires school recipients of e-rate funding to adopt Internet Safety Policies that specify the school educates its students about appropriate online behavior. While the FCC does not require school recipients to specify the curriculum in their Internet Safety Policies, it is strongly recommended that schools keep records of the implementation of their chosen method(s) for educating students about appropriate online behavior. Cuddy & McCarthy, LLP 10

11 WHAT HAPPENS IF YOU VIOLATE THE KEY PROVISIONS OF CIPA AND PROTECTING CHILDREN IN THE 21 ST CENTURY ACT? The Universal Service Administrative Company (USAC) which administers the Universal Service Fund (USF) could institute an action seeking recovery of e-rate funds. Cuddy & McCarthy, LLP 11

12 NETWORK SECURITY Network Security [security policies, implementing software, and the role of hardware] Internal Security vs. External Security Internal Security: a host of measures adopted to prevent individuals a school district allows to access its network from engaging in unauthorized or unlawful activity on the network. External Security: a host of measures adopted to prevent the inadvertent disclosure of sensitive or confidential information (think PII) and the unauthorized access of such information by anyone on the internet. Cuddy & McCarthy, LLP 12

13 PRACTICAL CONSIDERATIONS: CLOUD COMPUTING, STUDENT PRIVACY, AND THE LAW Cloud Computing is the delivery of on-demand computing resources everything from applications to data centers over the internet on a pay for use basis. Kinds of Clouds Software as a Service (SaaS) Software hosting Platform as a Service (PaaS) Application development or deployment Infrastructure as a Service (IaaS) Data hosting Cuddy & McCarthy, LLP 13

14 PROCUREMENT OF COMPUTER-BASED SERVICES AND DATA SERVICES Technology advances: Becoming paperless educational system Computer-based everything Data storage Where does the information go? Who has access to it? Who is responsible for it s safekeeping? Can you audit compliance with contracts for services or data storage? Cuddy & McCarthy, LLP 14

15 PRIVACY Why do we care about privacy? Data mining by companies like Google and Microsoft. Advertisements based on search engine history, Facebook, etc. Search cloud storage for trends and commonality to sell. State law precludes release of identifiable lists of students, faculty or staff for direct marketing of goods or services by telephone or mail except for legitimate educational purposes as defined by PED. NMSA 1978 Section (damages and attorneys fees awarded for violation.) Cuddy & McCarthy, LLP 15

16 PRIVACY CONTINUED Not knowing how much regulated data is on or accessible by: Mobile devices and clouds or used by school employees or transferred to cloudbased file sharing applications. Unsecured student and employee mobile devices. Cuddy & McCarthy, LLP 16

17 CONTRACTS WITH THIRD-PARTIES OFFERING CLOUD COMPUTING SERVICES School district owns its data exclusively. What the provider will do to protect the school district for data loss, unauthorized disclosure and changes and theft. Set forth the provider s responsibility in the event of a data breach. Address the unique data confidentiality requirements of the school district in detail (FERPA, IPRA etc.). Cuddy & McCarthy, LLP 17

18 CONTRACTS CONTINUED Provide for an effective privacy and security audit. Limit the provider s use of data to solely what is necessary for its fulfillment of its obligations under the contract. Specifically exclude the provider from any data mining of student/parent or employee and school district data or allowing third parties or affiliated parties to do so. Exclude all other collateral commercial uses of student/parent, employee and school district data. Cuddy & McCarthy, LLP 18

19 CONTRACTS CONTINUES TO CONTINUE School District must be able to access its data in a specific format when it is needed for audits, investigations and litigation. Provider will not be allowed to modify or destroy the school district s data, the school district should be able to control when its data is destroyed, duplicated and preserved. Restrict the provider from storing the data to the United States where the laws protecting data enforceable. Outside countries may allow data mining. Cuddy & McCarthy, LLP 19

20 BEWARE: CONTRACT LANGUAGE Beware of deals, programs or additional services to be purchased to provide data privacy and security from the provider who can do it under contract at no additional cost. Beware of indemnification provisions in user agreements, requiring the school district to indemnify the provider if it has data breach or security breach or releasing the provider from liability for its own negligence. Beware of dispute resolution provisions barring litigation and requiring arbitration. Beware of dispute resolution provisions providing that if there is litigation it will be limited to the home state of the provider or some other jurisdiction outside of New Mexico. Cuddy & McCarthy, LLP 20

IIBGA Children s Internet Protection Plan (CIPA) Plan IIBGA Children s Internet Protection Act (CIPA) Safety Plan [Revise and edit as necessary to fit USD goals and include in Handbook] Goals: It is the

We live in an increasingly connected world where information flows between us and the organizations and companies we deal with every day. Historically that information was stored in filing cabinets but,

NEBO SCHOOL DISTRICT BOARD OF EDUCATION POLICIES AND PROCEDURES C General School Administration Computer, Email, and Internet Use CG DATED: February 8, 2012 SECTION: POLICY TITLE: FILE NO.: TABLE OF CONTENTS

OCS Internet Acceptable Use and Safety Policy for Students The Opportunity Charter School ( OCS or the School ) provides access to OCS s Internet Systems for its students for educational purposes, in conformance

I-6400 2012 Arizona School Boards Association IJNDB USE OF TECHNOLOGY RESOURCES IN INSTRUCTION Appropriate use of Electronic Information Services The District may provide electronic information services

R 2361/Page 1 of 12 R 2361 ACCEPTABLE USE OF COMPUTER NETWORKS/COMPUTERS AND RESOURCES The school district provides computer equipment, computer services, and Internet access to its pupils and staff for

6141.9 Acceptable Use and Internet Safety The Board of Education provides computers, a computer network, including Internet access and an email system, as well as electronic devices such as cellular telephones

Internet Safety Policy The Syosset Central School District, in order to comply with federal regulations requiring Internet filtering for schools and libraries receiving E-Rate and Title III funds, will

4510 Computer Network (Cf. 4520) 4510 The Board authorizes the Superintendent to develop services linking computers within and between buildings in the District, and to provide access to the international

1 Dracut Public Schools Technology Acceptable Use Policy Revised 2014 The Dracut Public Schools (DPS) encourages the use of information technology to assist staff and students with academic success, preparation

Technology Department 1350 Main Street Cambria, CA 93428 Technology Acceptable Use and Security Policy The Technology Acceptable Use and Security Policy ( policy ) applies to all CUSD employees and any

BENCHMARK MEDICAL LLC, BUSINESS ASSOCIATE AGREEMENT This BUSINESS ASSOCIATE AGREEMENT ( Agreement ) dated as of the signature below, (the Effective Date ), is entered into by and between the signing organization

Iowa-Grant School District Acceptable Use and Internet Safety Policy For Students, Staff and Guests The Iowa-Grant School District has invested significantly in technology that offers vast, diverse, and

DCPS STUDENT SAFETY AND USE POLICY FOR INTERNET AND TECHNOLOGY Purpose: 1) To establish standards for the acceptable uses of internet and electronic mail (email) services within the computer network maintained

Pasadena Unified School District (PUSD) Acceptable Use Policy (AUP) for Students The Board of Education recognizes that the Technology, Assessment and Accountability (TAA) Department's resources (computers,

BUSINESS ASSOCIATE AGREEMENT This Business Associate Agreement (the Agreement ) is entered into by and between Professional Office Services, Inc., with principal place of business at PO Box 450, Waterloo,

Arizona School Immunization Requirements Parents: 1. Children must have proof of all required immunizations, or valid exemption, in order to attend the first day of school. Arizona law allows exemptions

Marion County School District Computer Acceptable Use Policy The Marion County School District (MCSD) offers currently enrolled students, faculty and staff access to the school computer network through

SUITE SOLUTIONS MEMBERSHIP GUIDELINES Clients using EZ-Filing Inc. Software The following procedures are needed to establish your account in order to download three bureau credit reports into your bankruptcy

HIPAA BUSINESS ASSOCIATE AGREEMENT This HIPAA Business Associate Agreement ("BA AGREEMENT") supplements and is made a part of any and all agreements entered into by and between The Regents of the University

Internet Service Provider Agreement 1. Introduction By using this Internet service ( Service ) you agree to be bound by this Agreement and to use the Service in compliance with this Agreement, our Acceptable

SaaS Business Associate Agreement This Business Associate Agreement ( BA Agreement ) becomes effective pursuant to the terms of Section 5 of the End User Service Agreement ( EUSA ) between Customer ( Covered

Forrestville Valley School District #221 Student Acknowledgment of Receipt of Administrative Procedures for Acceptable Use of the Electronic Network 2015-2016 All use of electronic networks shall be consistent

Page 1 of 5 K-20 Network Acceptable Use Guidelines/Internet Safety Requirements These procedures are written to support the Electronic Resources Policy of the board of directors and to promote positive

Notice of Health Information Privacy Practices THIS NOTICE DESCRIBES HOW MEDICAL INFORMATION ABOUT YOU MAY BE USED AND DISCLOSED AND HOW YOU CAN GET ACCESS TO THIS INFORMATION. PLEASE REVIEW THIS NOTICE

U.S. Department of Health and Human Services U.S. Department of Education Joint Guidance on the Application of the Family Educational Rights and Privacy Act (FERPA) And the Health Insurance Portability

This (hereinafter referred to as Addendum ) by and between Athens Area Health Plan Select, Inc. (hereinafter referred to as HPS ) a Covered Entity under HIPAA, and INSERT ORG NAME (hereinafter referred

NORTH SHORE SCHOOL DISTRICT COMPUTER NETWORK ACCEPTABLE USE POLICY Please read the following before signing the attached legally binding contract. Introduction Internet access is now available to students,

Computer, Network, Internet and Web Page Acceptable Use Policy for the Students of the The computer and information technology resources, which includes World Wide Web access and electronic mail capability,

Privacy Law Basics and Best Practices Information Privacy in a Digital World Stephanie Skaff sskaff@fbm.com What Is Information Privacy? Your name? Your phone number or home address? Your email address?

APPENDIX A The attorneys in the Office of University Counsel at the University of Colorado Denver Anschutz Medical Campus review many different types of contracts on behalf of the University. Legal review

BUSINESS ASSOCIATE AGREEMENT THIS BUSINESS ASSOCIATE AGREEMENT ( Agreement ) by and between OUR LADY OF LOURDES HEALTH CARE SERVICES, INC., hereinafter referred to as Covered Entity, and hereinafter referred

Sun Life Financial Producer Business Associate Policy Pursuant to the Health Insurance Portability and Accountability Act of 1996 and its implementing regulations at 45 C.F.R Parts 160-164 (collectively

Acceptable Use Policy I. Introduction Each employee, student or non-student user of Greenville County Schools (GCS) information system is expected to be familiar with and follow the expectations and requirements

Sample Business Associate Agreement (4. Other Bus. Assoc., Version 6-06-05) This Business Associate Agreement (the Agreement ) is entered into as of, 20, (the Effective Date ) by and between, (the Covered

CHAPTER 149 FORMERLY SENATE SUBSTITUTE NO. 1 FOR SENATE BILL NO. 79 AN ACT TO AMEND TITLE 14 OF THE DELAWARE CODE RELATING TO EDUCATIONAL DATA GOVERNANCE. BE IT ENACTED BY THE GENERAL ASSEMBLY OF THE STATE

LB LB LEGISLATURE OF NEBRASKA ONE HUNDRED FOURTH LEGISLATURE SECOND SESSION LEGISLATIVE BILL Introduced by Morfeld,. Read first time January 0, Committee: Education A BILL FOR AN ACT relating to students;

Note: This form is not meant to encompass all the various ways in which any particular facility may use health information and should be specifically tailored to your organization. In addition, as with

Model Business Associate Agreement Instructions: The Texas Health Services Authority (THSA) has developed a model BAA for use between providers (Covered Entities) and HIEs (Business Associates). The model

Senate Bill 158 By: Senators Burke of the 11th, Kirk of the 13th, Watson of the 1st, Hill of the 6th and McKoon of the 29th AS PASSED A BILL TO BE ENTITLED AN ACT 1 2 3 4 5 To amend Title 33 of the Official

NOTICE OF PRIVACY PRACTICES OF THE GROUP HEALTH PLANS SPONSORED BY ACT, INC. THIS NOTICE DESCRIBES HOW MEDICAL INFORMATION ABOUT YOU MAY BE USED AND DISCLOSED AND HOW YOU CAN GET ACCESS TO THIS INFORMATION.

Glenmeadow, Inc. Terms and Conditions of Use Legal Notices/ Privacy Policy Medical Disclaimer Glenmeadow is a senior living retirement community providing assisted and independent senior living options

BOARD OF EDUCATION Cherry Hill, New Jersey POLICY 6142.12 ACCEPTABLE USE OF TECHNOLOGY Introduction The Board of Education encourages the use of technology in the classroom as an educational tool and to

4526 COMPUTER, NETWORK AND INTERNET USE POLICY The Westhampton Beach Board of Education affirms the district's commitment to preparing students for the future. Students need to be technologically literate

Privacy Policy and Terms of Use Pencils of Promise, Inc. ( PoP, we, us or our ) shares your concern about the protection of your personal information online. This Privacy Policy and Terms of Use ( Policy

GENOA, a QoL HEALTHCARE COMPANY GENOA ONLINE SYSTEM TERMS OF USE By using the Genoa Online system (the System ), you acknowledge and accept the following terms of use: This document details the terms of

The HITECH Act: Implications to HIPAA Covered Entities and Business Associates Linn F. Freedman, Esq. Introduction and Overview On February 17, 2009, President Obama signed P.L. 111-05, the American Recovery

Social Media Guidelines for School Board Members Many school board members are active users of social media, including online platforms such as Facebook and Twitter, as well as other media such as blogs

Public Information Program Public Records Policy Purpose This policy is adopted pursuant to the Government Records Access and Management Act Utah Code Ann. 63G-2-701 ( GRAMA ) and applies to District records

Online and Mobile Privacy Notice ( Privacy Notice ) Introduction This Privacy Notice applies to the operations of Cigna Global Health Benefits and its affiliated companies listed at the end of this Privacy

CMA BUSINESS ASSOCIATE AGREEMENT WITH CMA MEMBERS Dear Physician Member: Thank you for contacting the California Medical Association and thank you for your membership. In order to advocate on your behalf,

All users of consumer reports must comply with all applicable regulations. Information about applicable regulations currently in effect can be found at the Consumer Financial Protection Bureau s website,

THE NATIONAL SCHOOL LUNCH PROGRAM, FERPA, PPRA AND ORAL HEALTH SURVEYS GUIDANCE AND RESOURCES FOR STATE AND TERRITORIAL DENTAL PROGRAMS MAY 2011 Is your State or Territory Planning on Conducting a School-Based

FedRAMP Package Access Request Form For Review of FedRAMP Security Package INSTRUCTIONS: 1. Please complete this form, then print and sign. 2. Distribute to your Government Supervisor for review and signature.

Policy Manual page 1 STUDENT E-MAIL, INTERNET AND COMPUTER USE Access to the Internet is being offered by Mentor Public Schools through the IT Department. The District is also pleased to provide its students

Terms of Service 1. Acceptance Of Terms IT4Professionals is an Internet-based Web site that offers webdesign, domain name registration, hosting, dynamic DNS, email and sms marketing, PC services and software

BEST CASE BANKRUPTCY NOTICE TO END USER Best Case, LLC, recognizes that it may benefit end users of its Best Case Bankruptcy software to have immediate access to a credit reporting agency. To that end,

POLICY TITLE: Computer and Network Service POLICY NO: 698 PAGE 1 of 6 GENERAL Computer network service through the Internet provides an electronic highway connecting millions of computers around the world.

FORM OF HIPAA BUSINESS ASSOCIATE AGREEMENT This Business Associate Agreement ( Agreement ) is made and entered into to be effective as of, 20 (the Effective Date ), by and between ( Covered Entity ) and

POLICY TITLE: Computer and Network Services: Acceptable Internet Use Policy POLICY NO: 698 PAGE 1 of 9 GENERAL Internet access is a service provided for students and staff members by this school district.

To ensure the functioning of the site, we use cookies. We share information about your activities on the site with our partners and Google partners: social networks and companies engaged in advertising and web analytics. For more information, see the Privacy Policy and Google Privacy &amp Terms.
Your consent to our cookies if you continue to use this website.